Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

The secret codes typed in by banking customers can be recorded using the residual heat left behind on the keypad, says a group of researchers from the University of California at San Diego.

The group’s paper, presented earlier this month at the USENIX Workshop on Offensive Technologies, shows that a digital infrared camera can read the digits of a customer’s PIN number on the keypad more than 80 percent of the time if used immediately. And if the camera is used a minute later, says Keaton Mowery, a doctoral student in computer science at UCSD, it can still detect the correct digits about half the time.

The research, which Mowery conducted with fellow student Sarah Meiklejohn and professor Stefan Savage, is based on previous work by well-known security researcher Michal Zalewski, who in 2005 used an infrared camera to detect codes punched into a safe with a keypad lock. While Zalewski was able to detect the codes even after five minutes, the UCSD researchers found that the chance of extracting the proper digits dropped to about 20 percent after 90 seconds.

The infrared method can circumvent defensive strategies, such as shielding the keypad. However, an ATM user could evade this infrared surveillance merely by placing a hand over the entire keypad to warm all of the keys, says Mowery. And if an ATM also uses the keypads for entering other numbers, such as the amount of money to withdraw, it contributes additional noise, says Meiklejohn.

The method has other weaknesses as well. “With plastic keypads, we can reliably detect which buttons were pressed, but it is really difficult to determine the order,” Mowery says. Even if the image was recorded immediately after the user typed it in, the order of the digits was only detectable about 20 percent of the time.

And if the keypad is metal, fuhgeddaboudit. “Essentially, if you pointed the camera directly at the metal keypad, it would show you the thermal fingerprint of you, the camera operator, rather than of the keypad itself,” Meiklejohn says. “However, we didn’t push it, because the plastic keypad did work. It’s possible that someone else could solve those issues.”

Combine all of these shortcomings with the cost of the infrared camera—$2,000 a month to rent, about $18,000 to buy—and the likelihood of anyone attacking an ATM this way is low, says researcher Zalewski. “Miniature daylight cameras are a lot simpler and more reliable,” he says. “So is mugging.”

11 comments. Share your thoughts »

Credit: UCSD

Tagged: Computing, hack, ATM, thermal imaging

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me